Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aliyun Sls Openclaw Integration
v1.0.0Use when the user needs to integrate OpenClaw with Alibaba Cloud SLS/Observability, including collector setup, machine groups, indexes, dashboards, collectio...
⭐ 0· 27·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and description (OpenClaw <> Alibaba SLS integration) align with its actions: installing aliyun CLI, installing LoongCollector, creating machine groups, indexes, dashboards, configs and bindings. However the registry metadata declares no required environment variables while SKILL.md explicitly requires ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET and ALIYUN_UID — an incoherence between declared metadata and the runtime instructions.
Instruction Scope
Runtime instructions perform system-level changes (mkdir/touch under /etc/ilogtail, start services via /etc/init.d), download and run a remote installer, and create a collector config whose FilePaths target user home OpenClaw session files (/home/*/.openclaw/agents/main/sessions/*jsonl). That means local conversation/session logs would be ingested and sent to Alibaba Cloud SLS; this is a high-sensitivity data flow and should be explicitly consented to and validated before execution.
Install Mechanism
Although the download target is region-specific Alibaba OSS (aliyuncs.com) — an official host — the skill instructs downloading a remote shell script (loongcollector.sh) and executing it. There is no packaged install spec in the registry; executing remote install scripts poses a significant risk unless the script is inspected/verified first.
Credentials
The skill requires cloud credentials (ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET) and sudo. Those are reasonable for creating cloud resources and installing system collectors, but the SKILL.md was not reflected in the declared requires.env. More importantly, the collector configuration will read per-user OpenClaw session files from home directories and ship them to SLS — giving the supplied AK/SK access to potentially sensitive conversation data. Ensure least-privilege credentials and that you accept uploading those files to Alibaba Cloud.
Persistence & Privilege
The skill writes system files under /etc/ilogtail, creates UID marker files, installs and starts system services, and creates persistent cloud resources (machine groups, dashboards, configs). While these behaviors are coherent with installing a log collector, they are privileged operations requiring sudo and permanent changes to the host and cloud account; proceed only on hosts and accounts where this is acceptable.
What to consider before installing
This skill will: (1) require and use your Alibaba AK/SK and sudo to install a collector, (2) download and execute a remote loongcollector installer from Alibaba OSS, (3) create system files under /etc/ilogtail and start services, and (4) configure the collector to read OpenClaw session files from users' home directories and send them to SLS dashboards and indexes. Before installing: (a) verify the registry metadata and SKILL.md match (the manifest omits required env vars), (b) inspect loongcollector.sh from the referenced URL before running it, (c) review references/collector-config.json and references/index.json to confirm exactly which file paths and fields will be collected, (d) use least-privilege AK/SK (preferably a test/project-scoped key) and never put high-privilege keys in long-lived hosts, (e) test in an isolated environment or non-production host first, and (f) if you do not want your OpenClaw session or other local files uploaded to Alibaba Cloud, do not run this skill or modify the collector config to exclude sensitive paths.Like a lobster shell, security has layers — review code before you run it.
latestvk97b8x3axk631h15hpwq94fcc5842x13
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsaliyun